Secure Web Transactions - InCommon SSL Certificates

Certificate Services

The secure socket layer (SSL) protocol provides assurance that web servers are legitimate and that the conversation is encrypted to prevent network eavesdropping. In order to run a secure web server, system administrators must obtain a digital certificate which is signed by an external third party (a certificate authority). This process is similar in concept to obtaining a notarized document. InCommon is one firm offering digital certificates.

The University has purchased the certificate service through InCommon (which uses Comodo as it's certificate authority). The arrangement we have is for unlimited certificates being available for the University community. This is intended to improve security at the University by allowing for certificates to be more widely utilized including within test environments.

IMPORTANT: Effective September 22, 2014 SHA-2 SSL certificates will need to be requested going forward. Currently existing SHA-1 SSL certificates are being deprecated and will need to be replaced by a more secure SHA-2 SSL certificate. Please see the SHA-2 section of the FAQs below.

InCommon's Self Service Enrollment

This will require NetID authentication to proceed. Certificates are available for faculty and staff use only.

Note: If you need to revoke a certificate, please contact the University IT Help Desk at 275-2000.

Frequently Asked Questions

SHA-2 SSL Certificates

Why is this change from SHA-1 to SHA-2 being made?

SHA-1 and SHA-2 are cryptographic algorithms also known as "Hashes". They are used as one of the components in the digital signatures that make secure certificates work. As time passes and new technologies are developed, the existing cryptographic algorithms become relatively weaker as potential attacks evolve due to the availability of increasingly powerful computers and advanced crypto-analysis. Other hash algorithms (e.g., MD5, MD4, and MD2) have already been retired as they are no longer secure against today's threat capabilities. The time has come for SHA-1 to be retired.

Why is this change occurring now?

The retirement of SHA-1 has been in sight for a long time. Standards organizations like NIST have been directing the use of SHA-2 for some time now. The recent vulnerability discoveries have crystallized the need for actual dates when SHA-1 support will be retired from popular mainstream browsers and operating systems.

Why should you care about this change?

Unless SHA-2 SSL certificates are in place by the retirement deadlines, it is possible that your customers may start to see warning messages in their browsers regarding security of the https site they're visiting. It is recommended to install a new SHA-2 SSL certificate as soon as is convenient for your browser-based application. According to Certificate Authorities, the transition to SHA-2 is one way that the CA's and browser vendors continue to ensure that encryption standards in use are at least 10 years ahead of the most advanced cryptographic analysis techniques available. SHA-1 will be depreciated altogether by mainstream platforms on or before January 1, 2016.

Does anything still need SHA-1 SSL certificates?

Some older browsers and operating systems may not support SHA-2 SSL certificates, one example is Microsoft Windows XP Service Pack 2 and below. Most mainstream web browsers and operating systems such as have been compatible with SHA-2 for quite some time.

Examples of older browsers that support SHA-2 include Internet Explorer 6.0+ and Apple Safari from Mac OS X 10.5+ and older operating systems such as Mac OS X 10.5, Windows XP SP3, Windows Server 2003 SP1, and Apache 2.0.63 have all been reported as compatible with the stronger SHA-2 cryptographic algorithm.

Can I still get a SHA-1 certificate if you need it?

For the present, yes. It has been reported that until January 1, 2015 you can request the SHA-1 SSL certificates, though you will be limited to only 1-year. Please note however, some mainstream web browsers will begin depreciation of the SHA-1 certificates beginning on January 1, 2015. It is recommended that going forward only SHA-2 SSL certificates are requested.

What needs to be done if you already have a SHA-1 certificate that expires in or after January 1, 2016?

New SHA-2 SSL certificates will need to be requested and installed. Please note in order to be issued a SHA-2 certificate, you will need to request and install a new SHA-2 SSL certificate; renewal of existing SHA-1 certificates will not automatically upgrade your certificate to the new SHA-2 standard.

You will still obtain the SHA-2 certificates in the same manner in which SHA-1 SSL certificates are requested today.

General

What is the difference between getting a certificate through the University’s InCommon contract, compared to buying directly from InCommon (or any other certificate vendor)?

In order to obtain or renew a certificate directly from a commercial Certificate Authority, you must follow these steps, which can cause a significant delay in turn around:

Wait for the vendor to call HR to verify your identity, employment, etc.

Then go through the technical steps of generating a certificate signing request, downloading the signed certificate, etc.

By taking advantage of the University's InCommon Service, the University provides the approval for InCommon to generate your certificate. The process can go much more quickly, as most of the paper handoffs and manual interventions are gone.

There is the choice of one, two, or three-year certificates. Please do not let your certificate expire. Renew your certificates early! We suggest renewing your certificate at least a month early, since there is no departmental cost associated with the certificates, to prevent them for expiring and impacting your environment.

What is the cost of the certificates?

The certificate service has been purchased by the University of Rochester. The certificates are being provided to departments at no cost.

How long does it take to receive a certificate?

Generally, you should have your certificate within 24 hours if you request it Monday - Thursday between the hours of 8:00am - 5:00pm. You need to request your certificate before noon on Fridays to have it approved prior to Monday.